Yesterday, a federal court held that a company’s financial losses for mis-wiring funds as a result of a phishing scam were not covered under a computer crime insurance policy. The decision, American Tooling Ctr. v. Travelers Cas. & Sur. Co. of Am., No. 16-12108 (E.D. Mich. Aug. 1, 2017) is another case in which financial losses resulting from a phishing scam were held to be unrecoverable under insurance.
In that case, the insured, American Tooling Center (“ATC”), was a tool and die manufacturer that outsourced some of its work to other die manufacturing companies overseas, including a vendor called Shanghai YiFeng Automotive Die Manufacture Co., Ltd. (“YiFeng”). As part of its normal business practice, ATC issued purchase orders to YiFeng, which in turn manufactured the requested dies. ATC paid YiFeng in stages based upon completion of certain milestones. To receive payment, YiFeng submitted its invoices to ATC by email. Once ATC verified that the milestone had been met, it wired the appropriate payment to YiFeng. Id. at 2.
In March 2015, ATC’s Vice President/Treasurer emailed his contact at YiFeng, requesting copies of all outstanding invoices. In response, the ATC officer received an email purportedly from YiFeng, but which really was a spoofed email from a third party. (The third party made the email appear to be from YiFeng by using the email domain “yifeng-rnould” domain, not the correct domain “yifeng-mould.com”). Id. The third party, pretending to be from YiFeng, instructed ATC to send payments for several legitimate outstanding invoices to a new bank account. Without verifying these new instructions, ATC wire transferred approximately $800,000 to a bank account that was not controlled by YiFeng. When the fraud was detected, the money was gone. Id. at 3.
ATC sought recovery under its computer crime policy. The policy provided that “The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” The policy defined “Computer Fraud” as:
The use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises:
to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or
to a place outside the Premises or Financial Institution Premises.
Id. at 3. The carrier argued that coverage did not exist because there was no “direct loss” that was “directly caused by the use of a computer,” as required by the policy. Id.
Noting that the Sixth Circuit, applying Michigan law, previously had held that the term “direct” means “immediate” and without intervening acts, the American Tooling court concluded that there was no direct loss directly caused by a computer to implicate coverage. Simply put: there were too many intervening acts between the phishing email and the transfer of money to satisfy the insuring language of the policy. Id. at 5 (citing Manufacturing & Technologies Ass’n v. Hartford Fire Ins. Co., 693 F.3d 665, 673 (6th Cir. 2012)). The court stated that the “intervening events between ATC’s receipt of the fraudulent emails and the transfer of funds (ATC verified production milestones, authorized the transfers, and initiated the transfers without verifying bank account information) preclude a finding of ‘direct’ loss ‘directly caused’ by the use of any computer.” Id.
Agreeing with the reasoning of the Fifth Circuit in Apache Corp. v. Great American Ins. Co., 662 Fed. App’x 252 (5th Cir. 2016) (written about in The Coverage Inkwell in October 2016), the American Tooling court stated that “the mere sending/receipt of fraudulent emails did not constitute ‘the use of any computer to fraudulently cause a transfer.’” Id. at 6. The court explained:
Although fraudulent emails were used to impersonate a vendor and dupe ATC into making a transfer of funds, such emails do not constitute the “use of any computer to fraudulently cause a transfer.” There was no infiltration or “hacking” of ATC’s computer system. The emails themselves did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails.
Further, because of the wide spread use of computers as a means of communication, the court, like the Fifth and Ninth Circuits, feared that to allow the email to implicate coverage for computer fraud would transform the “computer fraud” coverage into coverage for any fraud: “Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy.” Id. at 7 (quoting Apache and Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 Fed. App’x 332 (9th Cir. 2016)).
This case shows that to implicate computer fraud, the computer must be a critical instrumentality of the fraud, and not merely incidental to it. The case also highlights the costs of phishing attacks. According to a May 4, 2017 FBI Bulletin, between October 2013 and December 2016, American businesses saw losses from phishing scams approach $1.6 billion: $500 million every year with dollar figures climbing sharply – up 2370% between January 2015 and December 2016. Companies must implement appropriate cybersecurity measures, including employee training, to prevent such loss. A small investment in appropriate cybersecurity processes today can save your company hundreds of thousands or millions of dollars tomorrow.